Personal health data vulnerable in BC, commissioner says

VICTORIA – Sensitive personal health records of British Columbia residents, from mental health to sexually transmitted disease histories, are “disturbingly” vulnerable to leaks, the provincial privacy watchdog says. Information and privacy commissioner Michael McEvoy (pictured) says in a report released by his office in December that security gaps in the public health computer system put it at risk of abuse by bad actors, from cyber criminals to jilted lovers looking for information about an ex.

“Every British Columbian should be troubled by these findings, because it means personal information in the system is vulnerable to misuse and attack,” McEvoy says in an introduction to the report, titled “Left untreated: Security gaps in B.C.’s public health database.”

Collecting and storing personal information is vital to the delivery of health care and managing threats like communicable disease outbreaks, the report says.

However, it says the system’s “entry gate” is weak and the industry standard of multi-factor authentication for access is not universally required.

There’s also no proactive audit program that would alert authorities to individuals trying to use the system for nefarious purposes. Instead, threats are only addressed after a breach or security issue occurs, it says.

McEvoy says it’s “troubling” that the Provincial Health Services Authority, which is responsible for managing the system, has known about the risks since at least 2019 and made little progress to address them.

However, PHSA president David Byres says in a statement the health authority takes privacy seriously and will continue taking steps to ensure sensitive information is secure and protected.

PHSA already upgrades its security systems regularly and assessments have consistently indicated that patient data is sufficiently protected, he says.

The authority also has a user access auditing system in place and is working to enhance those processes. It has a dedicated cybersecurity team that actively works to lessen threats, he adds.

“We thank the Office of the Information and Privacy Commissioner for this report. We commit to carefully reviewing the findings and continuing to ensure our databases are safe and secure for everyone we serve.”

The report makes seven recommendations to address the system’s privacy and security risks, including encrypting personal information.

Technical solutions exist, but they will cost money, McEvoy says. While it may not seem like a top priority when weighed against the value of adding more hospital beds and doctors or shortening surgery wait times, he says the consequences of not doing so could be “catastrophic.”

McEvoy points to a cyberattack last year that knocked out information technology systems in Newfoundland and Labrador’s largest health authority, forcing officials to cancel thousands of appointments, including cancer care.

Eastern Health said that more than 58,000 people had their private data exposed by hackers in the breach.

“These impacts are serious, and we need to treat them seriously,” McEvoy says.